VYPR

npm · Malicious package advisory

Malware

db-xorma

MAL-2026-5464

Malicious code in db-xorma (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (1428486c71a3cd7d89ea90a17631bb5dc0fee7e11a6cbb4d8029a8b25268c7d2)
db-xorma advertises itself as a reactive in-memory database library. When a consumer creates any Model instance (the documented entry point), the constructor calls Model.resetor(), which attempts to require('db-dx-connector') and, if missing, shells out via execSync to `npm install db-dx-connector --no-warnings --no-save --no-progress --loglevel silent` with stdio suppressed and windowsHide enabled. It then immediately requires the freshly-fetched package and invokes `new DxDatabaseConnector({}).queryDBConnect()`. The fetched dependency is unpinned (whatever the attacker publishes at the moment of execution will run), --no-save evades the consumer's package.json/lockfile, and output is silenced. This is a runtime-dropper pattern that gives the publisher of db-dx-connector arbitrary code execution inside any process that imports db-xorma and constructs a Model. Additionally, package.json declares a dependency on 'child_process' ^1.0.2 — a known typosquat of the Node core module name, which adds an additional attacker-controlled code path via that package's own install lifecycle. A commented-out variant of the same dropper template targeting 'clsx-js' remains in dist/index.js, indicating the pattern is iterated across package names.

Compromised versions (6)

  • 1.0.2
  • 1.0.1
  • 1.0.0
  • 1.0.3
  • 1.0.4
  • 1.0.5

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.